|
|
HIPAA/LAW:
Legal Q/A
February 2002
"Writing Business Associate Contracts"
by Steve Fox, Esq., & Rachel Wilson, Esq.,
Pepper Hamilton LLP
QUESTION: We're starting to look at our Business Associates.
What should we consider when developing the Business Associate contracts
required by HIPAA?
ANSWER: It's not too soon to incorporate HIPAA's Business
Associate requirements into contracts with existing vendors or to
open a dialogue about the requirements during negotiations with
potential vendors, and include relevant provisions in resulting
contracts.
HIPAA's Privacy Regulation requires covered entities to obtain
satisfactory assurance that their Business Associates will "appropriately
safeguard" protected health information ("PHI").
These assurances must be documented in a written contract or other
written agreement with the Business Associate. There are three elements
essential to obtaining the required assurances.
First, contracts should include, or make specific reference to,
the Business Associate contract terms set forth in the Privacy Regulation,
particularly those terms related to the Business Associate's use
and disclosure of PHI. Contracts should also include concrete examples,
performance criteria, or the standard of care required to satisfy
the corresponding HIPAA requirement. For example, under the Privacy
Regulation, Business Associate contracts must provide that Business
Associates will use appropriate safeguards to prevent the use or
disclosure of PHI in any manner not set forth under the agreement.
Because the actions of Business Associates (as they relate to the
use and disclosure of PHI) are considered to be the actions of the
covered entity that engaged them, it is imperative that the contracts
define a minimum standard of performance that, if met, will constitute
an "appropriate safeguard." This is also important because
covered entities have an obligation to disclose their privacy practices
to patients. It will be difficult to prepare a Notice of Privacy
Practices without an understanding of, and comfort level with, the
safeguards implemented by a Business Associate.
Second, Business Associate contracts must contemplate future amendment
and modifications. Business Associates should agree, by way of example,
that if:
- the Privacy Regulation is modified by Congress or HHS, or is
interpreted by a court in a manner impacting compliance, or
- there is a material change in the business practices and procedures
of the covered entity,
then the Business Associate contract may be amended. This puts
the Business Associate on notice that the agreement is a living
document which may evolve during the course of performance.
Finally, a covered entity must have the unilateral right to terminate
a Business Associate contract if it determines that the Business
Associate has violated a material term of the contract. This remains
one of the most difficult areas of negotiation with vendors. However,
since covered entities are subject to sanctions if they have knowledge
of a Business Associate's wrongful activity and fail to take reasonable
steps to have the breach cured, this is an essential term in every
Business Associate contract. If a covered entity is unable to effect
a cure, it must either terminate the contract or report the problem
to HHS.
Read past HIPAA Legal Q/A articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP. This article was co-authored by Rachel H. Wilson,
Esq., of Pepper Hamilton LLP. www.pepperlaw.com/
Disclaimer: This information is general in nature and should not
be relied upon as legal advice.
|
 |
 |
